Mac Malware Part of Worsening Security Picture

With well-known malware threats directed against Mac computers and other devices running Apple operating systems, including the recent Backdoor.MAC.Eleanor backdoor threat and KeRanger ransomware, Apple-based systems are being attacked more. But, say security experts, the threats are more a sign of rising cyberattacks against all devices than any specific spike targeting Apple systems.

Every year for the last six years has been "the year of Mac malware," said Ryan Olson, director of threat intelligence for Palo Alto Networks, the firm credited with discovering KeRanger. Attacks against Macs "are growing for sure," he said. "But it's never been as huge of a problem as attacks against PCs."

The Problem with Macs

Mac attacks grew fourfold between 2010 and 2015, according to Gordon MacKay, CTO of Digital Defense, Inc. The conundrum for many Mac users is that they switch to Macs because the operating system tends to be more secure -- but as more switch, the Macs become a more lucrative target for hackers.

Part of the problem in protecting Macs is the successful job Apple has done in promoting the operating system as safer than Windows, security experts agree. While it is true that the OS X operating system has been the target of fewer attacks and Apple offers some security protections not available in Windows, this sense of security might make Mac users less likely to take common-sense security precautions when using their devices.

"It seems that there is the perception among many Mac users that their operating system is somehow immune to cyberattacks," said Ofer Caspi, advanced threat prevention researcher at Check Point. "If you add to this the fact that cyber security vendors offer relatively less protection software for Mac than for Windows, you can clearly see how cybercriminals could become increasingly more interested in creating new malware that targets Mac OS."

Malware in circulation can be retooled and built like a "Lego set" in minutes to target Windows and/or Macs, said Peter Tran, general manager and senior director at RSA. "Over the last three years alone, there has been over 1 billion reported new variants of malware in circulation, which averages to over 900,000 per day. All these variants are generally swapped and interchanged to create the new 'flavor of the minute.'"

How Is Mac Malware Different?

Mac malware is generally less sophisticated than software targeting PCs because it wasn’t until the last few years that hackers started working at targeting the Macs, which make up a smaller percentage of the personal computer market, Olson said.

Malware has been a cat and mouse game in the PC market. Hackers would develop a malware, a protection would be built to defend against it, hackers would revise/evolve the attack, defenses would further evolve and so on. With hackers starting later and developing fewer attacks against Macs, the sophistication and evolution of those attacks is running behind that of attacks against PCs, Olson said.

But in both the Mac and PC malware markets, hackers are sharing malware source code, reducing the cost to produce threats so more will be developed, said Intel security research architect Craig Schmugar. "In addition, some may see the Mac installed base as an untapped market, with a user base that is more likely to be caught off guard by an attack."

Ransomware a Growing Threat

The KeRanger exploit is just another in the growing amount of ransomware, though so far it’s the first one to specifically target Macs, MacKay said. Ransomware attacks are particularly harmful for enterprises and lucrative for hackers. The ransomware locks up the user’s computer(s) and is encrypted so it can’t be removed except by the hacker, who demands payment via bitcoin – virtually untraceable – before restoring the system. There are even hacker outfits providing ransomware-as-a-service, MacKay said.

"Ransomware hackers are becoming increasingly clever on the timing of their attacks. Some have even introduced a delay on the effects of the threat; users might click on a harmful link or open a dangerous email but the ransomware will stay dormant for a few days, slowly encrypting files," said Robert Gibbons, CTO of Datto. "Ransomware makers are becoming savvy in this way, wanting to make sure even the oldest backups are infected."

Datto sells appliances that are separate standalone infrastructures, with the aim of allowing users to recover data from further back in time than other backup solutions, he said.

Hackers attacking Macs use many of the same non-technical techniques as those attacking PCs. "At a high level, there’s little technical difference between the attacks," MacKay noted.

However, Mac attacks tend to rely certain executable Mac file types, according to Nick Bilogorskiy, senior director of threat operations at Cyphort Inc. The attack vectors include: DMG, an app within a HFS container or "disk image;" PKG, an app within an XAR container and package installer; Mach-O, similar to a Windows executable file; AppleScripts, used for Apple inter-application communication; Perl/Python/Bash scripts; Bourne-again shell scripts; and extensions from Safari, Chrome and Firefox.

Security experts agree that Apple has been a little more responsive than other vendors in providing security protections. In addition to vetting applications in its Apple Play store and including the Gatekeeper security application on its newer operating systems, the company has been a little quicker to respond to threats, according to analysts.

9 Tips for Fighting Mac Malware Threats

Keep systems up to date, and set systems to automatically install software patches and updates as soon as they become available.

Don’t disable Gatekeeper, a feature in Mountain Lion and OS X Lion v10.7.5 that builds on OS X's existing malware checks to help protect Macs from malware and other problem apps downloaded from the Internet.

Download apps only from the Apple store, as they are likely to be vetted to be malware-free. Avoid third-party apps from other sources.

Be careful what you click on. Many past Mac infections relied on user interaction and for users to bypass OS security features.

Be cautious about any application/tool without a signed digital certificate. There are some legitimate older applications/tools without these.

Communicate any known or suspected threats across the enterprise. If something appears suspicious, assume that it is – at least until it can be properly vetted. Caution others in the enterprise about any suspicious activity or messages seeking access to secure credentials.

Limit or disable Java and Flash, favorite resources used by hackers to develop attacks.

Disable browser-based auto file download

Stay abreast of evolving phishing and other social engineering techniques.